Skip to content

gh-94199: Remove the ssl.wrap_socket() function#94203

Merged
vstinner merged 1 commit intopython:mainfrom
vstinner:ssl_wrap_socket
Jul 8, 2022
Merged

gh-94199: Remove the ssl.wrap_socket() function#94203
vstinner merged 1 commit intopython:mainfrom
vstinner:ssl_wrap_socket

Conversation

@vstinner
Copy link
Copy Markdown
Member

@vstinner vstinner commented Jun 24, 2022
edited by bedevere-bot
Loading

Remove the ssl.wrap_socket() function, deprecated in Python 3.7:
instead, create a ssl.SSLContext object and call its
SSLContext.wrap_socket() method.

@vstinner vstinner marked this pull request as ready for review June 24, 2022 08:41
@vstinner
Copy link
Copy Markdown
Member Author

vstinner commented Jun 24, 2022

I'm not sure of the Python ecosystem is ready for this :-(

A code search for ssl.wrap_socket in PyPI top 5000 projects (at 2022-01-26) found 355 matching lines in 81 projects:

  • aliyun-python-sdk-core-2.13.35
  • amqp-5.0.9
  • ansible-5.2.0
  • asyncio-3.4.3
  • awscrt-0.13.0
  • AWSIoTPythonSDK-1.4.9
  • backports.ssl_match_hostname-3.7.0.1
  • bandit-1.7.2
  • boto-2.49.0
  • cassandra-driver-3.25.0
  • cbapi-1.7.6
  • clickhouse-driver-0.2.2
  • createsend-6.1.2
  • customerio-1.4
  • distlib-0.3.4.zip
  • distribute-0.7.3.zip
  • Django-4.0.1
  • eventlet-0.33.0
  • future-0.18.2
  • gevent-21.12.0
  • geventhttpclient-1.5.3
  • geventhttpclient-wheels-1.3.1.dev3
  • graypy-2.1.0
  • gsutil-5.6
  • gunicorn-20.1.0
  • heroku3-5.1.4
  • httplib2-0.20.2
  • httpretty-1.1.4
  • hyper-0.7.0
  • IMAPClient-2.2.0.zip
  • impacket-0.9.24
  • launchdarkly-server-sdk-7.3.0
  • ldap3-2.9.1
  • mercurial-6.0.1
  • mysql-connector-2.2.9
  • mysql-connector-python-rf-2.2.2
  • newrelic-7.4.0.172
  • oci-2.55.0
  • oslo.messaging-12.11.1
  • oslo.service-2.8.0
  • pex-2.1.65
  • pg8000-1.23.0
  • pika-1.2.0
  • pip-21.3.1
  • pipenv-2022.1.8
  • pycurl-7.44.1
  • pyeapi-0.8.4
  • pyftpdlib-1.5.6
  • pygelf-0.4.2
  • pykafka-2.8.0
  • PyKMIP-0.10.0
  • pylint-2.12.2
  • pylogbeat-2.0.0
  • python-glanceclient-3.5.0
  • python-magnumclient-3.5.0
  • python-telegram-bot-13.10
  • pyvmomi-7.0.3
  • py-zabbix-1.1.7
  • rabbitpy-2.0.1
  • raven-6.10.0
  • rethinkdb-2.4.8
  • salt-3004
  • secure-smtplib-0.1.1
  • snowflake-connector-python-2.7.3
  • speedtest-cli-2.1.3
  • splunk-sdk-1.6.18
  • sqreen-1.27.4
  • stem-1.8.0
  • stomp.py-7.0.0
  • superlance-2.0.0
  • thrift-0.15.0
  • thriftpy-0.3.9
  • thriftpy2-0.4.14
  • tornado-6.1
  • urllib3-1.26.8
  • uvloop-0.16.0
  • vertica-python-1.0.3
  • wincertstore-0.2.1.zip
  • ws4py-0.5.1
  • youtube_dl-2021.12.17
  • yt-dlp-2022.1.21

@vstinner vstinner marked this pull request as draft June 24, 2022 08:51
@vstinner vstinner mentioned this pull request Jun 24, 2022
Closed
@tiran
Copy link
Copy Markdown
Member

tiran commented Jul 8, 2022

ssl.wrap_socket() has been deprecated and documented as insecure since 3.7 (released 2018).

Any package] that still uses ssl.wrap_socket() is broken and insecure. The function neither sends a SNI TLS extension nor validates server hostname. Code is subject to CWE-295: Improper Certificate Validation and worth a CVE with at least medium severity.

@vstinner
gh-94199: Remove the ssl.wrap_socket() function
d09f060 
Remove the ssl.wrap_socket() function, deprecated in Python 3.7:
instead, create a ssl.SSLContext object and call its
sl.SSLContext.wrap_socket() method. Any package that still uses
ssl.wrap_socket() is broken and insecure. The function neither sends
a SNI TLS extension nor validates server hostname. Code is subject to
CWE-295 : Improper Certificate Validation.
@vstinner
Copy link
Copy Markdown
Member Author

vstinner commented Jul 8, 2022

Any package] that still uses ssl.wrap_socket() is broken and insecure. The function neither sends a SNI TLS extension nor validates server hostname. Code is subject to CWE-295: Improper Certificate Validation and worth a CVE with at least medium severity.

Oh wow, that sounds scary! I updated the documentation to mention that! But I omitted the last part: "and worth a CVE with at least medium severity". I prefer to not say that in the Python documentation.

@vstinner vstinner marked this pull request as ready for review July 8, 2022 13:19
@vstinner vstinner merged commit 00464bb into python:main Jul 8, 2022
@vstinner vstinner deleted the ssl_wrap_socket branch July 8, 2022 13:20
@vstinner
Copy link
Copy Markdown
Member Author

vstinner commented Jul 8, 2022

Merged. Thanks for the review @tiran.

@shreya1312 shreya1312 mentioned this pull request Jul 23, 2022
Closed
@Ousret Ousret mentioned this pull request Nov 5, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tiran tiran tiran approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vstinner @tiran @bedevere-bot